Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Content Disposition header being added on some urls...did not behave this way in 4.2.1 [SPR-13647] #18224

Closed
spring-projects-issues opened this issue Nov 6, 2015 · 3 comments
Assignees
Labels
in: web status: duplicate

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Nov 6, 2015

Ryan Kaltreider opened SPR-13647 and commented

given the following urls

/users/user_name@website.com - Adds Content-Disposition f.txt
/users/user_name@website.com/ - functions as expected.

Controller Request Mapping is ```
/users/{userId}


These urls both function as expected in 4.2.1

Please let me know if you need any other info.  In my mvc config i have suffix matching set to false.

Affects: 4.2.2

Issue Links:

  • #18164 Content-Disposition header causes download in browser for Spring Boot Actuator endpoints ("duplicates")
  • #18124 Protect against RFD exploits
@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 6, 2015

Ryan Kaltreider commented

Sorry, i think this might be a duplicate of #18165...apologies if it is.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 6, 2015

Rossen Stoyanchev commented

This is a result of the fix for #18124. It's not an exact duplicate of #18165 probably which says that Content-Disposition should not be added for responses not in the 200-299 range. This is however a duplicate of #18164.

Alas, the Content-Disposition header is necessary for RFD protection. We've just updated the docs with information on that and there is also the CVE report.

A key assumption is that such Content-Disposition header doesn't affect REST API calls. However if typed into a browser there is the side effect. Could you confirm the impact of the Content-Disposition header in your case? Thanks.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Nov 11, 2015

Rossen Stoyanchev commented

Resolving as duplicate of #18164. Feel free to comment however. We also have a fix in the works, follow #18164 for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: duplicate
Projects
None yet
Development

No branches or pull requests

2 participants